Often the question arises to know if the time stamps in the Windows Event Logs are local or UTC. The answer is more subtle than that. Let’s discuss which time zone is used in the Windows Event Logs and where.
First of all, please note that this discussion apply to the “Operating System Event Logs” you can view with the Event Viewer, such as Application, System, Security and the newer Vista-like Logs such as CAPI/Operational. It does not apply to the various “.log” files you can find in the temp folders, such as the installation traces of Visual Studio.
If you look at your PC or server right now, you will see that the events seem displayed with your local time. But beware This is only valid for the field “Date and Time” as the timestamp is recorded in fact as UTC and the offset is calculated by the client application.
However anything else is just text and is recorded as such so it is recorded by using the timezone of the application which recorded the message. Sounds logical but unclear about the consequences. Let’s take the unexpected shutdown event of a server far far away in another datacenter you would monitor.
You could end up with messages such as:
Log Name: System
Date: 24/08/2021 07:30:36
Event ID: 6008
Task Category: None
The previous system shutdown at 09:30:12 on 24/08/2021 was unexpected.
The timestamp of the event was perfectly recorded as a UTC time value which is converted by the application you are using on your own PC to look at the logs whereas the message that the previous shutdown was unexpected is a text message formatted by the machine in its own time zone.
To demonstrate this, you can execute the following powershell script. (You’ll hear a nice sound when your time zone changes).
# esent is just a source present on any windows pc
Write-EventLog -LogName Application -Source "ESENT" -EntryType Information -EventId 1234 "Hey I'm recording this event at $(Get-Date)"
$evt=Get-EventLog -LogName Application -InstanceId 1234 -Newest 1
# Look at the time field
# Look at the time within the message (discard the error at the beginning)
(Get-TimeZone -ListAvailable)[-1] | Set-Timezone
# we're now in a different time zone
# Look at both times
# back to our time zone
In the above example, the Time field is changed when you’re changing your time zone, whereas the message remains identical.